If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

You can have the crappest policies, processes and procedures on earth, but so long as they are properly documented and adhered to, you will pass certification.

I hope you're wrong there but somehow I doubt it

But it is the way in which most organisation rate their security or are rated. Real tests like a Pen test only make up a little of how secure you are percived to be.

I still find it hard to get my head round it sometimes. "We can't get hacked, I've got a great policy in place".

It's all just paper shuffling unless the policies and procedures (if they are good) are being followed and that has to be checked for compliance regularly. And that's why everyone hates me and I'm not even part of internal audit.

I do not see this as a problem so long as people understand that these limitations exist..............there is no such thing as the silver bullet

Certification is a process to determine if you have decided what to do, have documented it, and are actually doing it. In no way does it address "best practice". So long as this is understood and the question of best practice is dealt with in determining what you do, there is no problem, and certification indicates adherence to best practice.

As you say, a process is required to ensure that the certified processes and procedures are adhered to on an ongoing basis. I called these "checks and balances"............all you have to do is say that and "audit trail" and the beancounters will quietly wet themselves and leave you to get on with it

To illustrate my point, imagine that you have a project to implement an off the shelf stores management suite. Get hold of a copy of SSADM and PRINCE2 and just looking at the phase headings/modules determine how many would actually apply?

The first step in a project is usually to determine the methodologies and models you intend to comply with and select the bits that are actually relevant in your particular environment.

And anything additional that might constitute best practice

If you cannot do someone any good: don't do them any harm....
As long as you did this to one of these, the least of my little ones............you did it unto Me.
What profiteth a man if he gains the entire World at the expense of his immortal soul?

Rules are made to be broken, corners to be cut................if you cannot handle that then you had better go live in an ivory tower, because you will not be able to hack it in the real world.

I do not set great store by vendor's manuals when it comes to processes or security. Firstly they are no substitute for a proper business analysis exercise and secondly, if they were that damn good, why do all these vendors keep releasing security patches (but never a patch for the manuals?)

MS03-041:,MS03-042:,MS03-043:,MS03-044:,MS03-045:,MS03-046: etc..etc... Were created because people didn't follow the TFM to begin with.

It seems to me that you think there is no need for vendor documentation (TFM). Rules are made to be broken? We're talking a bout a career, possibly someone’s identity getting stolen, etc...etc.. I'm talking about computer security. Not standards for a TV remote and how to eat breakfast. You feel there's no need for good documentation, everything should be on the fly? Rules are made to be broken, so are systems too I guess?

You: So given a new facility with 1,000 new nodes, you'd configure the systems via your own knowledge, and to what configurations you see fit in terms of security? And when something was incorrectly configured, you apply another round of configuration, without a checklist, or did you make one up?

Me: Given a new facility with 1,000 new nodes, I'd configure to the TFM in order to run a trusted facility. Using verified instructions and checklist.

The TCSEC is a timeless well-documented publication of standards that are still very accurate in 2005. Yeah it relies on the Bell-La Padula security model. It's still good to go.

takes the cake. It shows such a lack of understanding of the TCSEC, ITSEC, and CC that I can't even believe it.

When do transitional state models become obsolete? With the advent of new viruses, worms, and trojans? Of course not. All processes fall within the same model be they good processes or the product of malware.

The TCSEC is still valid today, it has merely been expanded and reorganized by the CC.

Rules are made to be broken, corners to be cut

I guess now we see why the rest of the world is so incredibly far behind the US when it comes to computer security. So... what was the last high assurance system designed in the UK or by a UK company? Or... any other country for that matter?

You operate in a very different "real world" than those of us who require high assurance environments. If I cut corners and break rules... I get to go to federal prison. I think being anal raped as the result of following your advice is just a little too "real world" for me.

I do not set great store by vendor's manuals when it comes to processes or security.

Fortunately for you, your job doesn't require it... in fact you prolly use systems that don't even have TFMs.

Firstly they are no substitute for a proper business analysis exercise and secondly

Nor are they intended to be... they tell you how to apply the security policy to correctly meet your business requirements. Don't you find it difficult to debate something that you don't understand?

if they were that damn good, why do all these vendors keep releasing security patches (but never a patch for the manuals?)

I've never needed to patch a system that followed the TFM, the majority of patches are for superfluous services or misconfigurations that allow a code level exception to violate the security policy. I cannot recall a single exploit for ANY system in the last 15 years that violated the TFM. Additionally TFMs are updated to comply with changes in the system... and would comply with changes in vulnerability types, except no new vulnerability types have been discovered in the last 30 years or so.

You can have the crappest policies, processes and procedures on earth, but so long as they are properly documented and adhered to, you will pass certification.

This is not true either... ISO-17799 requires that you document how your security policies have been implemented in a manner that meets the business requirements. If they don't do that, how can you document it?

I do not see this as a problem so long as people understand that these limitations exist..............there is no such thing as the silver bullet

Yes, there is such a thing as a silver bullet... it is called a process of continual improvement. ISO-21827 will get you on your way with regard to security.

It seems to me that you think there is no need for vendor documentation (TFM)

Please do not get me wrong, I am not saying that..............my point is that it is VENDOR so will show the product in its best light? and will probably contain a lot of superfluous information? You must develop your own version for your particular environment? Also, beware of manuals .......they are like insruction sheets?..............I say: "go for the model, go for the methodology".........and write your own manuals from that?

I know that I use English a lot differently from yourself, please do not hold that against me

What I am trying to say is decide what you want to do then use the manual/documentation.

I fully agree/support/insist on documentation. Where I was suggesting a different, or more practical approach, in that it should be site/business/activity related. I am wary of "vanilla" and of manuals from a different environment?.................hey! if there were a "universal solution" would a lot of us have jobs? Sure! use the vendor stuff for templates or whatever, but make sure that the "issue ammo" is your own?

Catch

Nihil, you make a lot of retarded comments

I have a little challenge for you ............. just go tell your CEO or CFO that they are "retards"............quote all the documents and standards that you like..............and see if you have the same job to go to in the morning?

If you cannot do someone any good: don't do them any harm....
As long as you did this to one of these, the least of my little ones............you did it unto Me.
What profiteth a man if he gains the entire World at the expense of his immortal soul?

Second, having recently left to found my own Information Security company... I am the equiv to the CEO.

However previously if I said "You are retards for not following the TFM." they would say "We understand that it is your job not cost avoidance, but keeping us out of jail, so why exactly are we retards?" to which I would respond... "Because the contracts require that we utilize systems of X evaluation to maintain their data. The only way to ensure that X evaluations are met is by following the TFM... if we fail to do this we not only risk losing those clients and gaining a bad reputation... but potentially you could be facing jail time for fraud by accepting those contracts in the first place knowing the conditions." There would be a bit of silence, and then I would say "It'll cost me $Y and will take Z units_of_time to accomplish, everything is in this brief." They would then say... "Losing contracts is bad... and fraud charges are even worse...*murmmering about anal rape*... we really are retards... can we give you a raise?"

But I guess I just have a better reputation than you.

Third, my old executive officers were versed in the TCSEC and knew that the development of new viruses, trojans, and worms and no impact on its validity. They also knew that its requirements are so valid that they have just been migrated into the current Common Criteria protection profiles and assurance levels.

Then say that your "personal stylist" (nihil) suggests that her nation take up baseball?

BTW.................what colour roses would you like on your coffin?

Congrats! you £$%^&*))

OH! I forgot.................you are the CTP, not the CEO?

If you cannot do someone any good: don't do them any harm....
As long as you did this to one of these, the least of my little ones............you did it unto Me.
What profiteth a man if he gains the entire World at the expense of his immortal soul?

How hard is it to just type out abbrieviations at least ocne in your post.

It's like a noob trying to sound smart, while you're not smart. When you need weird abbrieviations or weird words in general to get your message accros, you're just pretending to be smart. Smart people don't need them.

EDIT: And Catch has been Googling for ages to find CTP...............but to no avail, cos I just made it up to pull his chain

If you cannot do someone any good: don't do them any harm....
As long as you did this to one of these, the least of my little ones............you did it unto Me.
What profiteth a man if he gains the entire World at the expense of his immortal soul?